@csermet/multiprovider
Version:
cloud-graph provider plugin for AWS used to fetch AWS cloud data.
178 lines (153 loc) • 45.1 kB
Markdown
Use the CloudGraph AWS Provider to scan and normalize cloud infrastructure using the [AWS SDK](https://github.com/aws/aws-sdk-js)
<!-- toc -->
- [CloudGraph AWS Provider](
- [Docs](
- [Install](
- [Authentication](
- [Multi Account](
- [Configuration](
- [Supported Services](
<!-- tocstop -->
⭐ [CloudGraph Readme](https://github.com/cloudgraphdev/cli)
💻 [Full CloudGraph Documentation Including AWS Examples](https://docs.cloudgraph.dev)
Install the aws provider in CloudGraph
```
cg init aws
```
Authenticate the CloudGraph AWS Provider any of the following ways:
- Credentials from env variables: `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `AWS_SESSION_TOKEN`
- Credentials found in the `credentials` under `~/.aws` (any profile, defaults to `default`)
CloudGraph needs read permissions in order to ingest your data. To keep things easy you can use the same permissions that we use internally when we run CloudGraph to power AutoCloud. Here are the [AWS Docs](https://docs.autocloud.dev/connect-an-environment/aws) for generating the correct Role (feel free to leave out AutoCloud specific configuration).
CloudGraph is able to scan multiple AWS accounts at once. This is done by setting up multiple profiles in your `~/.aws/credentials` file and then selecting all the profiles you want to crawl when running `cg init`. All resources will be tagged with an `accountId` so you can query resources specific to an account or query resources **across** accounts!
CloudGraph creates a configuration file at:
- UNIX: `~/.config/cloudgraph/.cloud-graphrc.json`
- Windows: `%LOCALAPPDATA%\cloudgraph/.cloud-graphrc.json`
NOTE: CloudGraph will output where it stores the configuration file and provider data as part of the `cg init` command
CloudGraph will generate this configuration file when you run `cg init aws`. You may update it manually or by running `cg init aws` again.
```
"aws": {
"profileApprovedList": [
"default",
"master",
"sandbox"
], // Optional, defaults to the default profile
"regions": "us-east-1,us-east-2,us-west-2",
"resources": "alb,apiGatewayResource,apiGatewayRestApi,apiGatewayStage,appSync,asg,billing,cognitoIdentityPool,cognitoUserPool,cloudFormationStack,cloudFormationStackSet,cloudfront,cloudwatch,ebs,ec2Instance,eip,elb,igw,kinesisFirehose,kinesisStream,kms,lambda,nat,networkInterface,route53HostedZone,route53Record,routeTable,sg,vpc,sqs,s3"
}
}
```
CloudGraph AWS Provider will ask you what regions you would like to crawl and will by default crawl for **all** supported resources in **selected** regions in the **default** account. You can update the `regions`, `resources`, or `profile` fields in the `cloud-graphrc.json` file to change this behavior. You can also select which `resources` to crawl in the `cg init aws` command by passing the the `-r` flag: `cg init aws -r`
| Service | Relations |
| --------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| acm | |
| alb | ec2, elasticBeanstalkEnv, route53Record, securityGroup, subnet, vpc, wafV2WebAcl |
| apiGatewayDomainName | apiGatewayHttpApi, apiGatewayRestApi |
| apiGatewayHttpApi | apiGatewayDomainName |
| apiGatewayRestApi | apiGatewayDomainName, apiGatewayResource, apiGatewayStage, route53Record |
| apiGatewayStage | apiGatewayRestApi, wafV2WebAcl |
| apiGatewayResource | apiGatewayRestApi |
| appSync | cognitoUserPool, dynamodb, iamRole, lambda, rdsCluster, wafV2WebAcl |
| asg | ebs, ec2, elasticBeanstalkEnv, iamRole, securityGroup, subnet |
| athenaDataCatalog | |
| clientVpnEndpoint | securityGroup |
| cloud9 | |
| cloudformationStack | cloudformationStack, iamRole, sns |
| cloudformationStackSet | iamRole |
| cloudfront | cloudwatch, elb, s3 |
| cloudtrail | cloudwatch, cloudwatchLog, kms, s3, sns |
| cloudwatch | cloudfront, cloudtrail, cloudwatchLog, sns |
| cloudwatchLog | cloudtrail, cloudwatch, ecsCluster, elasticSearchDomain, kms, managedAirflow, rdsDbInstance |
| codebuild | iamRole, kms, vpc, securityGroup, subnet |
| cognitoIdentityPool | iamRole, iamOpenIdConnectProvider, iamSamlProvider, elasticSearchDomain |
| cognitoUserPool | appSync, elasticSearchDomain, lambda |
| configurationRecorder | iamRole |
| customerGateway | vpnConnection |
| dynamodb | appSync, iamRole, kms |
| dmsReplicationInstance | securityGroup, subnet, vpc, kms |
| ebs | asg, ec2, emrInstance, ebsSnapshot |
| ebsSnapshot | ebs, kms |
| ec2 | alb, asg, ebs, eip, emrInstance, eksCluster, elasticBeanstalkEnv, iamInstanceProfile, iamRole, networkInterface, securityGroup, subnet, systemsManagerInstance, vpc, ecsContainer |
| ecr | |
| ecsCluster | cloudwatchLog, ecsService, ecsTask, ecsTaskSet, kms, s3 |
| ecsContainer | ecsTask, ec2 |
| ecsService | ecsCluster, ecsTaskDefinition, ecsTaskSet, elb, iamRole, securityGroup, subnet, vpc |
| ecsTask | ecsContainer, ecsCluster, ecsTaskDefinition, iamRole |
| ecsTaskDefinition | ecsService, ecsTask, ecsTaskSet, iamRole |
| ecsTaskSet | ecsCluster, ecsService, ecsTaskDefinition |
| efs | kms |
| efsMountTarget | networkInterface, subnet, vpc |
| eip | ec2, networkInterface, vpc |
| eksCluster | ec2, iamRole, kms, securityGroup, subnet, vpc |
| elastiCacheCluster | securityGroup, subnet, vpc |
| elastiCacheReplicationGroup | kms |
| elasticBeanstalkApp | elasticBeanstalkEnv, iamRole |
| elasticBeanstalkEnv | alb, asg, ec2, elb, elasticBeanstalkApp, iamRole, sqs |
| elasticSearchDomain | cloudwatchLog, cognitoIdentityPool, cognitoUserPool, iamRole, kms, securityGroup, subnet, vpc |
| elb | cloudfront, ecsService, elasticBeanstalkEnv, securityGroup, subnet, vpc |
| emrCluster | iamRole, kms, subnet |
| emrInstance | ebs, ec2 |
| emrStep | |
| flowLog | vpc, iamRole, subnet, networkInterface |
| glueJob | iamRole |
| glueRegistry | |
| guardDutyDetector | iamRole |
| iamAccessAnalyzer | |
| iamInstanceProfile | ec2, iamRole |
| iamPasswordPolicy | |
| iamSamlProvider | cognitoIdentityPool |
| iamOpenIdConnectProvider | cognitoIdentityPool |
| iamServerCertificate | |
| iamUser | iamGroup |
| iamPolicy | iamRole, iamGroup |
| iamRole | appSync, asg, cloudformationStackSet, codebuild, cognitoIdentityPool, configurationRecorder, ec2, ecsTask, ecsTaskDefinition,iamInstanceProfile, iamPolicy, eksCluster, ecsService, emrCluster, flowLog, glueJob, managedAirflow, s3, sageMakerNotebookInstance, systemsManagerInstance, guardDutyDetector, lambda, kinesisFirehose, rdsCluster, rdsDbInstance, elasticBeanstalkApp, elasticBeanstalkEnv, elasticSearchDomain |
| iamGroup | iamUser, iamPolicy |
| igw | vpc |
| iot | |
| kinesisFirehose | kinesisStream, s3, iamRole |
| kinesisStream | kinesisFirehose |
| kms | cloudtrail, cloudwatchLog, codebuild, ecsCluster, efs, eksCluster, elastiCacheReplicationGroup, elasticSearchDomain, emrCluster, managedAirflow, lambda, rdsCluster, rdsClusterSnapshot, rdsDbInstance, sns, sageMakerNotebookInstance, secretsManager, dmsReplicationInstance, redshiftCluster, s3, ebsSnapshot |
| lambda | appSync, cognitoUserPool, kms, s3, secretsManager, securityGroup, subnet, vpc, iamRole |
| managedAirflow | cloudwatchLog, iamRole, kms, securityGroups, subnet, s3 |
| managedPrefixList | |
| mskCluster | securityGroup, subnet |
| nacl | vpc |
| natGateway | networkInterface, subnet, vpc |
| networkInterface | ec2, eip, efsMountTarget, natGateway, sageMakerNotebookInstance, subnet, vpc, vpcEndpoint, flowLog, securityGroup |
| organization |
| rdsCluster | appSync, rdsClusterSnapshot, rdsDbInstance, route53HostedZone, securityGroup, subnet, iamRole, kms |
| rdsClusterSnapshot | kms, rdsCluster, vpc |
| rdsDbInstance | kms, iamRole, rdsCluster, securityGroup, vpc, subnet, cloudwatchLog |
| redshiftCluster | kms, vpc |
| route53Record | alb, apiGatewayRestApi, elb, route53HostedZone |
| route53HostedZone | rdsCluster, route53Record, vpc |
| routeTable | subnet, vpc, vpcEndpoint |
| sageMakerExperiment | |
| sageMakerNotebookInstance | iamRole, kms, networkInterface, subnet, securityGroup |
| sageMakerProject | |
| s3 | cloudfront, cloudtrail, ecsCluster, iamRole, kinesisFirehose, kms, lambda, managedAirflow, sns, sqs |
| secretsManager | kms, lambda |
| securityGroup | alb, asg, clientVpnEndpoint, codebuild, dmsReplicationInstance, ecsService, lambda, ec2, elasticSearchDomain, elb, rdsCluster, rdsDbInstance, eksCluster, elastiCacheCluster, managedAirflow, sageMakerNotebookInstance, networkInterface, vpcEndpoint, mskCluster |
| securityHub | |
| ses | |
| sns | kms, cloudtrail, cloudwatch, s3 |
| sqs | elasticBeanstalkEnv, s3 |
| subnet | alb, asg, codebuild, dmsReplicationInstance, ec2, ecsService, efsMountTarget, elastiCacheCluster, elasticSearchDomain, elb, lambda, managedAirflow, natGateway, networkInterface, rdsCluster, sageMakerNotebookInstance, routeTable, vpc, vpcEndpoint, eksCluster, emrCluster, flowLog, mskCluster |
| systemsManagerInstance | ec2, iamRole |
| systemsManagerDocument | |
| transitGateway | transitGatewayAttachment, transitGatewayRouteTable, vpnConnection |
| transitGatewayAttachment | transitGateway, transitGatewayRouteTable, vpc, vpnConnection |
| transitGatewayRouteTable | transitGateway, transitGatewayAttachment |
| vpc | alb, codebuild, dmsReplicationInstance, ec2, eip, elb, ecsService, efsMountTarget, eksCluster igw, elastiCacheCluster, elasticSearchDomain, lambda, nacl, natGateway, networkInterface, rdsClusterSnapshot, rdsDbInstance, redshiftCluster, route53HostedZone, routeTable, subnet, flowLog, vpnGateway, transitGatewayAttachment, vpcEndpoint, vpcPeeringConnection |
| vpcEndpoint | networkInterface, routeTable, securityGroup, subnet, vpc |
| vpcPeeringConnection | vpc |
| vpnConnection | customerGateway, transitGateway, transitGatewayAttachment, vpnGateway |
| vpnGateway | vpc, vpnConnection |
| wafV2WebAcl | appSync, apiGatewayStage, alb |